vga: stop passing pointers to vga_draw_line* functions

Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
the address, to make sure the address stays within the valid
range, similar to the cirrus blitter fixes (commits ffaf857
and 026aeff).

Impact:  DoS for privileged guest users.  qemu crashes with
a segfault, when hitting the guard page after vga memory
allocation, while reading vga memory for display updates.

Fixes: CVE-2017-13672
Cc: P J P <>
Reported-by: David Buchanan <>
Signed-off-by: Gerd Hoffmann <>
kraxel committed Sep 1, 2017
1 parent e652941 commit 3d90c6254863693a6b13d918d2b8682e08bbc681
Showing with 114 additions and 94 deletions.
  1. +110 −92 hw/display/vga-helpers.h
  2. +3 −2 hw/display/vga.c
  3. +1 −0 hw/display/vga_int.h

